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Authentication Indicator in Kerberos Tickets 

Abstract 
This document updates RFC 4120, as it specifies an extension in the 
Kerberos protocol. It defines a new authorization data type, 
AD-AUTHENTICATION-INDICATOR. The purpose of introducing this data 
type is to include an indicator of the strength of a client’s 
authentication in service tickets so that application services can 
use it as an input into policy decisions. 
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1. Introduction 


Kerberos [RFC4120] allows secure interaction among users and services 
over a network. It supports a variety of authentication mechanisms 
using its pre-authentication framework [RFC6113]. The Kerberos 
authentication service has been architected to support password-based 
authentication as well as multi-factor authentication using one-time 
password devices, public-key cryptography, and other 
pre-authentication schemes. Implementations that offer 
pre-authentication mechanisms supporting significantly different 
strengths of client authentication may choose to keep track of the 
strength of the authentication that was used, for use as an input 
into policy decisions. 


This document specifies a new authorization data type to convey 
authentication strength information to application services. 
Elements of this type appear within an AD-CAMMAC (Authorization Data 
type Container Authenticated by Multiple Message Authentication 
Codes) [RFC7751] container. 


2. Document Conventions 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 


"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [RFC2119]. 


3. AD Type Specification 
The Key Distribution Center (KDC) MAY include authorization data of 


ad-type 97, wrapped in AD-CAMMAC, in initial credentials. The KDC 
MAY copy it from a ticket-granting ticket into service tickets. 
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The corresponding ad-data field contains the DER encoding [X.690] of 
the following ASN.1 [X.680] type: 


AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String 


Each UTF8String value is a short string that indicates that a 
particular set of requirements was met during the initial 
authentication. These strings are intended to be compared against 
known values. They are not intended to store structured data. Each 
string MUST be either: 


o A URI that references a Level of Assurance Profile [RFC6711], or 


o A site-defined string, which MUST NOT contain a colon, whose 
meaning is determined by the realm administrator. 


Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST 
be included in an AD-CAMMAC container so that their contents can be 
verified as originating from the KDC. Elements of type 
AD-AUTHENTICATION-INDICATOR MAY safely be ignored by applications and 
KDCs that do not implement this element. 


4. Assigned Numbers 
RFC 4120 [RFC4120] is updated in the following way: 


o The ad-type number 97 is assigned for AD-AUTHENTICATION-INDICATOR, 
updating the table in Section 7.5.4 of RFC 4120 [RFC4120]. 


o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map 
the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". 


5. Security Considerations 


Elements of type AD-AUTHENTICATION-INDICATOR are wrapped in AD-CAMMAC 
containers. AD-CAMMAC supersedes AD-KDC-ISSUED and allows both 
application services and the KDC to verify the authenticity of the 
contained authorization data. 


KDC implementations MUST use AD-CAMMAC verifiers as described in the 
security considerations of RFC 7751 [RFC7751] to ensure that 
AD-AUTHENTICATION-INDICATOR elements are not modified by an attacker. 
Application servers MUST validate the AD-CAMMAC container before 
making authorization decisions based on AD-AUTHENTICATION-INDICATOR 
elements. Application servers MUST NOT make authorization decisions 
based on AD-AUTHENTICATION-INDICATOR elements that appear outside of 
AD-CAMMAC containers. 
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Using multiple strings in AD-AUTHENTICATION-INDICATOR may lead to 
ambiguity when a service tries to make a decision based on the 
AD-AUTHENTICATION-INDICATOR values. This ambiguity can be avoided if 
indicator values are always used as a positive indication of certain 
requirements being met during the initial authentication. For 
example, if a "without-password" indicator is inserted whenever 
authentication occurs without a password, a service might assume this 
is an indication that a higher-strength client authentication 
occurred. However, this indicator might also be inserted when no 
authentication occurred at all (such as anonymous PKINIT). 


Application service evaluation of site-defined indicators MUST 
consider the realm of original authentication in order to avoid 
cross-realm indicator collisions. Failure to enforce this property 
can result in invalid authorization decisions. 


6. IANA Considerations 

This document does not require any IANA actions. 
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Appendix A. ASN.1 Module 


KerberosV5AuthenticationIndicators { 
iso(1) identified-organization(3) dod(6) internet (1) 
security(5) kerberosv5(2) modules (4) 
authentication-indicators (9) 


} DEFINITIONS EXPLICIT TAGS ::= BEGIN 
AD-AUTHENTICATION-INDICATOR ::= SEQUENCE OF UTF8String 
END 
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